Chapter
Chapter 1: Nmap Fundamentals
Building Nmap's source code
Updating your local working copy
Customizing the building process
Finding live hosts in your network
Running the Nmap Scripting Engine during host discovery
Exploring more ping scanning techniques
Listing open ports on a target host
Privileged versus unprivileged
Scanning specific port ranges
Selecting a network interface
More port scanning techniques
Fingerprinting OS and services running on a target host
Increasing version detection intensity
Aggressive detection mode
OS detection in verbose mode
Submitting new OS and service fingerprints
Using NSE scripts against a target host
Reading targets from a file
Excluding a host list from your scans
Scanning an IP address ranges
Scanning random targets on the Internet
Legal issues with port scanning
Collecting signatures of web servers
Monitoring servers remotely with Nmap and Ndiff
Monitoring specific services
Crafting ICMP echo replies with Nping
Managing multiple scanning profiles with Zenmap
Editing or deleting a scan profile
Running Lua scripts against a network connection with Ncat
Other ways of executing external commands with Ncat
Discovering systems with weak passwords with Ncrack
Configuring authentication options
Pausing and resuming attacks
Launching Nmap scans remotely from a web browser using Rainmap Lite
Chapter 2: Network Exploration
Discovering hosts with TCP SYN ping scans
Privileged versus unprivileged TCP SYN ping scan
Firewalls and traffic filtering
Discovering hosts with TCP ACK ping scans
Privileged versus unprivileged TCP ACK ping scans
Selecting ports in TCP ACK ping scans
Discovering hosts with UDP ping scans
Selecting ports in UDP ping scans
Discovering hosts with ICMP ping scans
Local versus remote networks
Discovering hosts with SCTP INIT ping scans
Unprivileged SCTP INIT ping scans
Selecting ports in SCTP INIT ping scans
Discovering hosts with IP protocol ping scans
Setting alternate IP protocols
Generating random data for the IP packets
Supported IP protocols and their payloads
Discovering hosts with ARP ping scans
Performing advanced ping scans
Discovering hosts with broadcast ping scans
Discovering new IPv6 targets
Gathering network information with broadcast scripts
Spoofing the origin IP of a scan
Choosing your zombie host wisely
The IP ID sequence number
Chapter 3: Reconnaissance Tasks
Performing IP address geolocation
Submitting a new geolocation provider
Getting information from WHOIS records
Selecting service providers
Ignoring referral records
Obtaining traceroute geolocation information
Querying Shodan to obtain target information
Saving the results in CSV files
Specifying a single target
Checking whether a host is flagged by Google Safe Browsing for malicious activities
Collecting valid e-mail accounts and IP addresses from web servers
Discovering hostnames pointing to the same IP address
Discovering hostnames by brute forcing DNS records
Customizing the dictionary
Adjusting the number of threads
Using the NSE library target
Obtaining profile information from Google's People API
Matching services with public vulnerability advisories
Chapter 4: Scanning Web Servers
Listing supported HTTP methods
Checking whether a web server is an open proxy
Discovering interesting files and folders in web servers
Abusing mod_userdir to enumerate user accounts
Brute forcing HTTP authentication
Brute forcing web applications
Brute forcing WordPress installations
Brute forcing WordPress installations
Detecting web application firewalls
Detecting possible XST vulnerabilities
Detecting XSS vulnerabilities
Finding SQL injection vulnerabilities
Detecting web servers vulnerable to slowloris denial of service attacks
Finding web applications with default credentials
Detecting web applications vulnerable to Shellshock
Executing commands remotely
Spidering web servers to find vulnerable applications
Detecting insecure cross-domain policies
Finding attacking domains available for purchase
Detecting exposed source code control systems
Obtaining information from subversion source code control systems
Auditing the strength of cipher suites in SSL servers
Scrapping e-mail accounts from web servers
Chapter 5: Scanning Databases
Brute forcing MySQL passwords
Finding root accounts with an empty password in MySQL servers
Detecting insecure configurations in MySQL servers
Brute forcing Oracle passwords
Brute forcing Oracle SID names
Retrieving information from MS SQL servers
Force-scanned ports only in NSE scripts for MS SQL
Brute forcing MS SQL passwords
Dumping password hashes of MS SQL servers
Running commands through xp_cmdshell in MS SQL servers
Finding system administrator accounts with empty passwords in MS SQL servers
Force-scanned ports only in MS SQL scripts
Obtaining information from MS SQL servers with NTLM enabled
Retrieving MongoDB server information
Detecting MongoDB instances with no authentication enabled
Listing MongoDB databases
Listing CouchDB databases
Retrieving CouchDB database statistics
Detecting Cassandra databases with no authentication enabled
Brute forcing Redis passwords
Chapter 6: Scanning Mail Servers
Detecting SMTP open relays
Brute forcing SMTP passwords
Detecting suspicious SMTP servers
Enumerating SMTP usernames
Brute forcing IMAP passwords
Retrieving the capabilities of an IMAP server
Brute forcing POP3 passwords
Retrieving the capabilities of a POP3 server
Retrieving information from SMTP servers with NTLM authentication
Chapter 7: Scanning Windows Systems
Obtaining system information from SMB
Detecting Windows clients with SMB signing disabled
Checking UDP when TCP traffic is blocked
Attacking hosts with message signing disabled
Detecting IIS web servers that disclose Windows 8.3 names
Bruteforcing Windows 8.3 names
Detecting Windows 8.3 names through different HTTP methods
Detecting Windows hosts vulnerable to MS08-067
Detecting other SMB vulnerabilities
Retrieving the NetBIOS name and MAC address of a host
Enumerating user accounts of Windows hosts
Selecting LSA bruteforcing or SAMR enumeration exclusively
Checking UDP when TCP traffic is blocked
Enumerating shared folders
Preparing a brute force password auditing attack
Checking UDP when TCP traffic is blocked
Finding domain controllers
Finding domain master browsers
Detecting Shadow Brokers' DOUBLEPULSAR SMB implants
Chapter 8: Scanning ICS SCADA Systems
Finding common ports used in ICS SCADA systems
Creating a database for HMI service ports
Enumerating Siemens SIMATIC S7 PLCs
Enumerating Modbus devices
Enumerating BACnet devices
Discovering the BACnet broadcast management device
Enumerating Ethernet/IP devices
Enumerating Niagara Fox devices
Enumerating ProConOS devices
Enumerating Omrom PLC devices
Enumerating PCWorx devices
Chapter 9: Optimizing Scans
Skipping phases to speed up scans
Selecting the correct timing template
Adjusting timing parameters
Estimating round trip times with Nping
Displaying the timing settings
Adjusting performance parameters
Distributing a scan among several clients using Dnmap
Chapter 10: Generating Scan Reports
Saving scan results in a normal format
Saving scan results in an XML format
Structured script output for NSE
Saving scan results to a SQLite database
Dumping the database in CSV format
Saving scan results in a grepable format
Generating a network topology graph with Zenmap
Generating HTML scan reports
Reporting vulnerability checks
Generating PDF reports with fop
Generating reports in other formats
Saving NSE reports in ElasticSearch
Chapter 11: Writing Your Own NSE Scripts
Making HTTP requests to identify vulnerable supermicro IPMI/BMC controllers
Setting the user agent pragmatically
Sending UDP payloads using NSE sockets
Generating vulnerability reports in NSE scripts
Vulnerability states of the library vulns
Exploiting a path traversal vulnerability with NSE
Setting the user agent pragmatically
Writing brute force password auditing scripts
Crawling web servers to detect vulnerabilities
Working with NSE threads, condition variables, and mutexes in NSE
Writing a new NSE library in Lua
Writing a new NSE library in C/C++
Getting your scripts ready for submission
Appendix A: HTTP, HTTP Pipelining, and Web Crawling Configuration Options
Configuring the NSE library httpspider
Appendix B: Brute Force Password Auditing Options
Appendix C: NSE Debugging
Appendix D: Additional Output Options
Saving output in all formats
Appending Nmap output logs
Including debugging information in output logs
Including the reason for a port or host state
OS detection in verbose mode
Appendix E: Introduction to Lua
Conditional statements - if, then, elseif
Splitting and joining strings
Determining current coroutine
Getting the status of a coroutine
Things to remember when working with Lua
Appendix F: References and Additional Reading
Nmap: Network Exploration and Security Auditing Cookbook - Second Edition
Disclaimer: Any content in publications that violate the sovereignty, the constitution or regulations of the PRC is not accepted or approved by CNPIEC.
